There is no doubt social media has had a groundbreaking impact on society, from making it much easier to connect and communicate with other people to transforming the way information and news disseminates. Yet with great power comes great responsibility, and the grand palace of social media has been crashing down lately. Facebook’s privacy scandal has dominated headlines for months, and various social media companies recently announced updates in their privacy terms. We wanted to take a hard look at few specific privacy concerns from Facebook’s scandal and see why social media companies are busy updating their privacy policies right now.

Facebook has been under scrutiny for months for mishandling its users’ personal information and supplying those to third parties. What are some ways one could unwittingly give away personal information on Facebook?

One conspicuous way is to naively click on the “yes” button when a pop-up screen that asks for permission to access your information appears, often for outside apps that you are trying to connect to your Facebook profile. By clicking yes, you are legally giving the third party consent to access your information. It is easy to assume that it would only access relevant data, but the third party can currently access more than you might expect, such as your public profile, which includes username, age range, language, network, cover photo, etc.

Yet there is a more discreet way a third party could have accessed your information. One of the major privacy concerns that came out of the Cambridge Analytica scandal is that while you may have not seen or clicked on certain content, such as a quiz, your Facebook “friends” may have. Until Facebook upgraded its API in 2015, Facebook allowed third parties to access data about users’ Facebook friends in addition to their own. While this was a significant milestone, this API change didn’t ensure that third parties that have already harvested users’ data delete what they have collected.

This is partly how Cambridge Analytica may have accessed public profile information of a maximum of 87 million users. The issue exploded in April, resulting in Mark Zuckerberg making an appearance at the congressional hearing. A highlight of this hearing was Zuckerberg’s response to a senator’s question about how Facebook makes money: “Senator, we run ads" – with a wide smile.

While the Cambridge Analytica scandal certainly elevated privacy into a national concern, it is not the first time this issue has surfaced. The Guardian reported in 2015 that then-presidential candidate Ted Cruz used psychological data that came from unwarranted research on millions of Facebook users by Cambridge Analytica.

In fact, Facebook’s troubles with privacy issues go back to 2011. In November 2011, Facebook agreed to settle FTC charges that it made users’ private information public and shareable. The settlement also required Facebook to provide users with “clear and prominent notice” as well as getting their “express consent before their information is shared beyond the privacy settings they have established.” While Facebook did have to make this settlement, it got out of it easily – it didn’t even pay a fine.

The latest, somewhat chilling news revealed that Facebook can infer extremely detailed personal information about its users. Note the term infer – while Facebook users have control over their explicit interests, they don’t necessarily have control over what Facebook infers about them. Advertisers can utilize such information for microtargeting. Few examples of users’ interests that advertisers can gather include communism, social democrats and Hinduism. Facebook does try to prevent misuse of such information by barring advertisers from being able to exclude people using sensitive information as well as by requiring advertisers to not engage in “predatory advertising practices.”

According to its most recent privacy policy update, Facebook has significantly limited third parties from accessing data about users’ Facebook friends. Third parties may receive information about the list of friends, but will not be able to obtain any other information. Facebook has been posting updates about its ongoing investigation as well as its security initiatives, so stay tuned.

Privacy policy updates – why now?

Facebook is not the only social media company that is working on its privacy policy; Snapchat, Twitter and many others have recently changed their privacy policies as well. Why now? Are social media companies scared of the investigation that dawns upon them? More specifically, they are responding to an impending law that would be implemented across the Atlantic. The European Union is about to take legal action that may alleviate the pains of social media users across the world.

The General Data Protection Regulation (GDPR), a law that strives to increase transparency and responsibilities of data-gathering and data-processing firms and equip users with a better grip of their personal data, will officially go into effect on May 25. The law applies to “all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location,” which means most large non-European social media companies that we use daily will have to comply with the law.

There will be heavy fines for companies that violate GDPR – up to either 4 percent of annual global turnover or 20 million euros.

Companies will have to ask for users’ consent in a much more “intelligible and easily accessible” form, avoiding legal jargons. Users should also be able to easily withdraw their consent.

Companies will be required to send a breach notification within 72 hours of discovery if it is likely to “result in a risk for the rights and freedoms of individuals.”

Data subjects, i.e. us, will have the right to demand a data controller, a confirmation of whether our personal data is being processed and how the data is being dealt with.

Users will have the right of data portability, which is the right to receive personal data regarding themselves.

While privacy has been something companies dealt with only after it became problematic, GDPR will require companies to consider privacy a key concern for designing their systems – this idea is called “privacy by design.”

Companies that meet certain criteria (such as those that process data on a large scale or those that deal with sensitive data related to criminal activities) will have to appoint DPOs, or data protection officers.

With this proposal becoming a law in just a week or two, social media companies have been updating their privacy policies to comply with it. It’s not a perfect world, but hopefully this law takes us a step closer to one.